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Amelioration des attaques integrales centre Rijndael 



Resume : Ce rapport presente de nouvelles proprietes integrales pour les variantes de Rijndael pour des blocs 
de tallies superieures a 128 bits. En utilisant des distingueurs particuliers et des extensions d'attaques connues, 
les proprietes deduites permettent d'attaquer 7 et 8 etages de Rijndael. 

Mots-cles : chiffrement par blocs, cryptanalyses, attaques integrales, Rijndael-6 
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1 Introduction 

Rijndael-6 is an SPN block cipher designed by Vincent Rijmen and Joan Daemen 0]. It has been chosen as the 
new advanced encryption standard by the NIST [6j with a 128-bit block size and a variable key length, which 
can be set to 128, 192 or 256 bits. In its full version, the block lengths b and the key lengths Nk can range 
from 128 up to 256 bits in steps of 32 bits, as detailed in [3] and in [8]. There are 25 instances of Rijndael. The 
number of rounds Nr depends on the text size b and on the key size Nk and varies between 10 and 14 (see 
Table [T] for partial details). For all the versions, the current block at the input of the round r is represented by 
a 4 X t with t = (6/32) matrix of bytes ^(''^ 



Air) 



The round function, repeated Nr — 1 times, involves four elementary mappings, all Hnear except the first 
one: 

• SubBytes: a bytewise transformation that applies on each byte of the current block an 8-bit to 8-bit non 
linear S-box S. 

• ShiftRows: a linear mapping that rotates on the left all the rows of the current matrix, the values of the 
shifts (given in Table [T]) depend on b. 

• MixColumns: a linear matrix multiplication; each column of the input matrix is multiplied by the matrix 
M that provides the corresponding column of the output matrix. 

• AddRoundKey: an x-or between the current block and the subkey of the round r Kr. 

Those Nr — 1 rounds are surrounded at the top by an initial key addition with the subkey Kq and at the 
bottom by a final transformation composed by a call to the round function where the MixColumns operation 
is omitted. The key schedule derives Nr + 1 6-bits round keys Kq to K^r from the master key K of variable 
length. 
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Table 1: Parameters of the Rijndael block cipher where the triplet k) for the ShiftRows operation designated 
the required number of byte shifts for the second row, the third one and the fourth one. 

Many cryptanalyses have been proposed against Rijndael-6, the first one against all the versions of Rijndael-6 
is due to the algorithm designers themselves and is based upon integral properties ([1], [2], [10]) that allows to 
efficiently distinguish 3 Rijndael inner rounds from a random permutation. This attack has been improved by 
Ferguson et al. in [5j allowing to cryptanalyse an 8 rounds version of Rijndael-6 with a complexity equal to 2^"'* 
trial encryptions and 2^^^ — 2^^^ plaintexts. 

Following the dedicated work of [7], this paper presents new four- round integral properties of Rijndael-6 and 
the resulting 7 and 8 rounds attacks which are substantially faster than exhaustive key search. Note also that 
those attacks greatly improve the previous results on Rijndael-6, essentially the ones given in |8] and in f^. 

This paper is organized as follows: Section [2] recalls the integral properties known against Rijndael-6 and 
investigates the new four and five rounds properties. Section [3] presents the deduced 7 and 8 rounds attacks. 
Section m concludes this paper. 

2 The integral properties 

We describe in this section the four inner rounds original integral property against the AES described in [5], 
the five rounds integral property of Rijndael-256 described in [7j and the new integral properties against all the 
Rijndael-6 versions where 6 is larger than 128 bits. 
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2.1 Introduction and Notations 

In [To], L. Knudsen and D. Wagner analyse integral cryptanalysis as a dual to differential attacks particularly 
applicable to block ciphers with bijective components. A first-order integral cryptanalysis considers a particular 
collection of m words in the plaintexts and ciphertexts that differ on a particular component. The aim of this 
attack is thus to predict the values in the sums (i.e. the integral) of the chosen words after a certain number 
of rounds of encryption. The same authors also generalize this approach to higher-order integrals: the original 
set to consider becomes a set of m'' vectors which differ in d components and where the sum of this set is 
predictable after a certain number of rounds. The sum of this set is called a dth-order integral. 

2.1.1 Notations 

We first introduce and extend the consistent notations proposed in [lO] for expressing word-oriented integral 
attacks. For a first order integral, we have: 

• The symbol 'C (for "Constant") in the ith entry, means that the values of all the iih words in the collection 
of texts are equal. 

• The symbol (for "All") means that all words in the collection of texts are different. 

• The symbol '5' (for "Sum") means that the sum of all ith words can be predicted. 

• The symbol '?' means that the sum of words can not be predicted. 
For a dth order integral cryptanalysis: 

• The symbol 'yl''' corresponds with the components that participate in a dth-order integral, i.e. if a word 
can take m different values then means that in the integral, the particular word takes all values exactly 
m''"^ times. 

• The term '^f ' means that in the integral the string concatenation of all words with subscript i take the 
m''- values exactly once. 

• The symbol ^[AfY^ means that in the integral the string concatenation of all words with subscript i take 
the m'^ values exactly k times. 

• The symbol ^Eqi found for two different words means that the sums of all values taken on those particular 
words are equal. 

2.1.2 Integral properties of the AES 

In order to well understand the principles of an integral property, we give the example of the AES (Rijndael- 
128). Consider a collection of 256 texts, which have different values in one byte and equal values in all other 
bytes. Then it follows that after two rounds of encryption the texts take all 256 values in each of the sixteen 
bytes, and that after three rounds of encryption the sum of the 256 bytes in each position is zero as shown in 
[2]. Also, note that there are 16 such integrals since the position of the non-constant byte in the plaintexts can 
be in any of the sixteen bytes. The integral is illustrated in Figure [T] (where an arrow represents a complete 
round). This integral can be used to attack four rounds of Rijndael-128 with small complexity (note that the 
final round is special and does not include MixColumns) counting over one key byte at a time. Simply guess a 
key byte and compute byte-wise backwards to check if the sum of all 256 values is zero. 

This 3-round property could be extended by one round at the beginning using 2^^ plaintexts, i.e. to a 
4th-order integral property as described in [5]. The main observation is that the 2^^ plaintexts could be seen as 
2^"* copies of the above first-order integrals (starting in the second round) . Since the text in each integral sums 
to zero in any byte after the fourth round, so does the sum of all 2'^^ plaintexts. The running time complexity 
of this attack greatly improves the previous one especially concerning the key-bytes search. Figure [2] depicts 
this four-round fourth-order integral against Rijndael-128. 
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Figure 1: The 3-round first-order integral for Rijndael-128, where 5 = 



2.1.3 An integral property for Rijndael-256 

In [7], the authors show a new 3th-order integral property against 4- round of Rijndael-256 which essentially 
rehes on the slow diffusion of Rijndael-256. Using the previous notations, we could easily describe this property 
as shown on Figured 
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Figure 2: A 4-round fourth-order integral for Rijndael-128 with 2^^ texts. 
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Figure 3: 4-round 3th-order integral property of Rijndael-256 



As shown in [7], this particular property could be extended by one round at the beginning using a 4th- 
order integral (considering that it represents 2® copies of the 3th-order four round integral) to build a 5-round 
distinguisher that uses 2'^^ plaintexts testing if the sum taken over all initial values of a particular byte belonging 
to the third or to the seventh column is equal to zero. This leads to the first 9-round attack against Rijndael-256. 

2.2 The new integral properties of Rijndael-6 

In this section, we present new integral properties against Rijndael-6. Those properties have been found using 
always the same methodology: consider after one round a full column of active bytes, say (yo, yi, 2/2, 2/3), then 
after two rounds, express each byte of the corresponding ciphertext according to this column. Thus, one could 
see the dependencies between two rounds bytes and can directly deduce the bytes that must take all possible 
values to obtain balanced bytes at the end of the third round and thus predictable sums at the end of the fourth 
round. 

2.2.1 Rijndael-256 

We have found an other 4-round integral property of 2th-order as shown in figured) Using computer simulations, 
we have found 42 3th-order integral properties and 48 2th-order integral property (essentially the shifted ones) . 

As previously done, this 2th-order four-round property could be extended by one round at the beginning 
using a 8th-order integral (considering that it represents 2^® copies of the 2th-order four round integral) as 
previously described and by two rounds at the beginning using a 24th-order integral as done in [8] and as shown 
in Figure m 

Thus, we obtain first a four-round distinguisher that uses 2^^ plaintexts testing if the sum taken over all 
initial values of a particular byte belonging to the third, to the sixth, to the seventh or to the eighth column is 
equal to zero. We also obtain a five-round distinguisher that uses 2^^ plaintexts testing if the same sum taken 
over the 2^'^ values is also equal to zero. The six-round distinguisher that uses 2^^^ plaintexts is the same even 
if the corresponding memory complexity is here unreachable. 
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Figure 4: the 2th-order integral property of Rijndael-256 
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Figure 5: Extension of Rijndael-256 by two rounds at the beginning using a 24th-order integral 
2.2.2 Rijndael-224 

In the same way, we have found a 2th-order 4-round integral property for Rijndael-224 as shown in figure [6l 
We have found 42 2th-order integral properties (essentially the shifted ones). 
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Figure 6: Four-round 2th-order integral property of Rijndael-224 



As previously done, this 2th-order four-round property could be extended by one round at the beginning 
using a 8th-order integral (considering that it represents 2^* copies of the 2th-order four-round integral) as 
previously described and by two rounds at the beginning using a 24th-order integral. 

Thus, we obtain first a four-round distinguisher that uses 2^^ plaintexts testing if the sum taken over all 
initial values of a particular byte belonging to the first column is equal to zero. We also obtain a five-round 
distinguisher that uses 2^'^ plaintexts testing if the same sum taken over the 2^^ values is also equal to zero. 
The six-round distinguisher that uses 2^^^ plaintexts is the same. 



2.2.3 Rijndael-192 

In the same way, we have found a 2th-order 4-round integral property for Rijndael-192 as shown in figure [71 
This integral is different from the others because it implies that two particular sums are equals between them 
and not to zero. This particular property comes from the fact that the first term Eqo is a linear combination 
of 4 particular terms of the previous round. In those words, three are balanced (i.e. the complete sum at the 
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end is equal to 0) and the last one comes from a '?' of the previous round. Thus, we obtain in fact the simple 
sum of the word '?', more precisely the sum becomes after the Mixcolumns 0„g_42 01 • '?' © where is the 
null sum taken over the three balanced bytes. Then, notice that the second term Eqo is computed from exactly 
the same 4 words and that the coefficient of the Mixcolumns appHed to the same word '?' is also 01. Thus, we 
obtain two equal sums. In fact, on this particular column, we obtain 6 possible equalities up to the MixColumns 
coefficient. 
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Figure 7: 2th-order 4-round integral property of Rijndael-192 



We also have found a 3th-order 4-round integral property for Rijndael-192 as shown in figure [HI We have 
found 42 2th-order integral properties (essentially the shifted ones). 
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Figure 8: 3th-order 4-round integral property of Rijndael-192 

As previously done, the 2th-order four-round integral could be extended by one round at the beginning using 
a 8th-order integral (considering that it represents 2^^ copies of the 2th-order four-round integral) testing if the 
sums of two particular bytes are equals and by two rounds at the beginning using a 24th-order integral. In this 
case, we obtain exactly the same distinguisher than the ones described in the previous subsections. 

In the case of the 3th-order four-round integral, it could be easily extended by one round at the beginning 
using a 12th-order integral (considering that it represents 2"^^ copies of the 3th-order four-round integral). But 
if we try to add one more round at the beginning, we need to consider the entire codebook of Rijndael-192, 
what is not possible (because, as mentioned in [5], in this case in the key bytes search even the wrong keys will 
yield to zero when summing over all 2^^^ encryptions because Rijndael-192 is a permutation). Thus, in this 
case, we need to use the herd technique proposed in [5] and detailed in the Subsection 13.21 

In conclusion, we obtain first a four-round distinguisher that uses 2^^ plaintexts testing if the sum taken 
over all initial values of a particular byte belonging to the fifth or the sixth column is equal to zero. We also 
obtain a five-round distinguisher that uses 2^^ plaintexts testing if the same sum taken over the 2^^ values is 
also equal to zero. 

2.2.4 Rijndael-160 

We also have found a 3th-order 4-round integral property for Rijndael-160 as shown in figure[9l We have found 
42 3th-order integral properties (essentially the shifted ones). 

Thus, we could easily extend by one round at the beginning this integral using a 12th-order integral (con- 
sidering that it represents 2^^ copies of the 3th-order four-round integral). We could not add one more round 
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Figure 9: Integral property of Rijndael-160 

at the beginning, for the same reasons than the ones given in the case of Rijndael-192. Thus, in this case, we 
need to use the herd technique proposed in [5]. 

Thus, we obtain first a four-round distinguisher that uses 2^** plaintexts testing if the sum taken over all 
initial values of a particular byte belonging to the fourth column is equal to zero. We also obtain a five-round 
distinguisher that uses 2^^ plaintexts testing if the same sum taken over the 2^^ values is also equal to zero. 

3 The proposed attacks 

We could exploit the 4, 5 and 6-round integral properties previously described to mount elementary attacks 
against 6, 7 and 8 rounds versions of Rijndael-6 using the partial sums technique described in ^ to add two 
rounds at the end. To attack the 8-round versions of Rijndael-192 and Rijndael-160, we introduce the herd 
technique also described in [5]. 

3.1 The partial sums technique 

We could extend the previous 5-round and 6-round distinguishers by adding two rounds at the end using the 
partial sums technique introduced in [5j. We describe here the original attack and then directly apply it to our 
case. 

This extension works in the original paper on a 6 rounds version of the AES and looks at a particular byte of 
^^^^ to test the 4th-order integral property described in Figure[2]and how it relates to the ciphertext. First, the 
authors rewrite the cipher slightly by putting the AddRoundKey before the MixColumns in round 5. Instead 
of applying MixColumns and then adding K<=,, they first add in K'^, which is a linear combination of four bytes 
of K5, and then apply MixColumns. Under this assumption, it is easy to see that any byte of A^^^ depends on 
the ciphertext, on four bytes of Kq and one byte of K'r, considering that the sixth round is the last one and does 
not contain a MixColumns operation. Then, only the five key bytes of the two last rounds remain unknowns. 

Moreover, the authors improve the complexity of their attack using a technique called "partial sums" to 
sequentially decipher the two last rounds according to the values of the five unknown key bytes. They first 
compute from the i-th ciphertext Ci the following partial sums: Vfc e {0, • • • , 3}, Xk ■= X]J=o '^j \pi,o ® %]where 
^o, Si, S2, S3 represent the inverse of the S-box S multiplied by a component of InvMixColumns, Cij the byte 
number j of cf, ko, ■ ■ ■ , ks the four bytes of Kq. Note that the searched value at the end of the 4 rounds is thus 
a\^j = S~^[x3 © ki] where k^ is the implied byte of K'^. 

They use the transformation (cq, ci, C2, C3) — > {xk, Ck+i , ■ • • , C3) to sequentially determine the different values 
of kk and to share the global computation into 4 steps of key bytes search with 2"'* operations for each one 
corresponding with 2^° S-box lookups for each set of 2'^^ ciphertexts (see [5] for the details of the complexities) . 
To discard false alarms (i.e. bad keys that pass the test), they need to repeat this process on 6 different sets with 
2^^ elements. Then, the general complexity of the partial sums attacks against a 6 rounds version of the AES is 
about 2^"^ encryptions (considering that 2^ S-box applications are roughly equivalent with one trial encryption) 
using 6 • 2^^ plaintexts. 

We could directly apply this technique to all the versions of Rijndael-6 to recover 5 particular key bytes of 
the two last rounds using 6 different sets of plaintexts. We sum up the corresponding results in Table [2l Note 
also that when looking at the 2th-order four-round integral of Rijndael-192, one needs to guess in parallel 2x5 
key bytes. The partial sums technique could however be applied 2 times but all the first 5 guessed key bytes 
must be stored. We thus increase the required memory. Note also, as done in [5], that we could add at the end 
of the two rounds added using the partial sums technique a last round guessing 4 particular columns of the last 
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subkey. In this case, we perform an exhaustive search on 16 subkey bytes whereas the 5 other key bytes are 
determined using always the partial sums technique. The corresponding results are also given in Table [H 
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Table 2: Summary of Attacks on Rijndael-6 using the partial sums technique 



3.2 The herd technique for Rijndael-192 and Rijndael-160 

In [5], the authors develop a technique to improve their 6 rounds AES attack by adding one round at the 
beginning. This new attack require naively the entire codebook of 2^28 known plaintexts that could be divided 
into 2^^ packs of 2'^2 plaintexts/ciphertexts that represent 224 gj-g^-order integrals with one active byte after 
two rounds. But this property could not be directly exploited because in this case even the wrong keys pass the 
test due to the bijective behavior of the cipher. 

(2) 

Instead, they use a particular byte at the end of the first round, say a)^ ^ different from the four bytes implied 
in the integral with a fixed value x. With a^fl = x, they obtain a set of 2^20 possible encryptions composed of 
2*^ packs, where each pack contains 224 4th-order integrals. They call this structure with 2^20 elements a herd. 
If they sum up values on a herd, then the integral property is only preserved for the correct key. 

f 21 

Thus, they notice that this particular byte a)^ I depends on only four bytes of plaintext, say (p4, • • • ,^7) and 

on four bytes of the key Kq. As done for the partial sums technique, they could share the key exhaustive search 

on the four key bytes of Kq required to entirely determine the value of a^^l in a three-phase attack using 2^4 

counters ruy for the first phase, 2^2 counters for the second whereas the third phase filters information for 

key guesses. The attack works as follows: in the first phase, the counter my is incremented at bit level according 

to the 64-bit value y = (cq, • • ■ , C3,p4, • ■ • ,^7); in the second phase, the four bytes of Kq are guessed to compute 
(2) 

a)j I and to share the counters into herds; then select a single herd and update by adding z = (cq, • ■ ■ ,03) for 
each y that is in the good herd; in the third phase, guess the five key bytes of 7^7 and of Kq to decrypt each z 
to a single byte of A^^^ , sum this byte over all the 2^2 values of z (with multiplicities) and check for zero. This 
last phase must be repeated for each initial guess of the four bytes of Kq. 

The first phase requires about 2^20 ifioi encryptions and the rest of the attack has a negligible complexity 
compared to it (see [5] for some details about the attack complexity). Then, the total complexity of this attack 
is 2^20 encryptions and 2^4 ^j^g of memory using 2^28 chosen plaintexts. The authors provide another 
improvement of their attack remarking that the four plaintext bytes (p4, • • • ,^7) and the four guessed key bytes 
of Kq define four bytes of yl'^2)_ go they can create 224 gj^jaUgj. herds with 2^°4 elements by fixing three more 
bytes of ^^2) to reduce the plaintext requirements to 2^28 _ 2ii9 texts. 

So, we could directly apply this attack against 8 rounds version of Rijndael-192 and Rijndael-160. The 
results are summed up in Tabled 
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Key 
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Time Memory Attack 
Complexity 


Rijndael-192 
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(256) 
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2192 _ 2119 

2160 _ 2119 


CP 
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2192 _ 2119 21"^ - 2^^^ 
2160 _ 2119 2^^° — 2^^^ 



Table 3: Summary of Attacks on Rijndael-192 and on Rijndael-160 using the herd technique 



4 Conclusion 

In this paper, we have investigated new 4-round integral properties of Rijndael-& for several b values and then 
have built several deduced attacks up to 8 rounds. Note that those attacks are better than the ones described in 
[9], in [H] and in [5] when applied to Rijndael-5 but do not improve the one proposed in [7] against Rijndael-256. 

However, we think that those new properties clearly improve the better results known about Rijndael-fe and 
highlight the Rijndael-5 behavior for integral cryptanalysis, noticing that the greater the number of columns is 
the lower the order of the integral is. 
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